Re: [PATCH v3] ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

[Hyunchul Lee <hyc.lee@gmail.com>]

Hello Zhan,

On Thu, Apr 23, 2026 at 12:52:26PM +0800, Zhan Xusheng wrote:
> In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
> on-disk metadata and used as the initial vcn without validation.
> A malformed value can introduce an invalid (e.g. negative) vcn,
> corrupting the runlist from the start.
> 
> Additionally, the accumulation
>     vcn += deltaxcn
> 
> does not check for s64 overflow. A crafted mapping pairs array
> can wrap vcn to a negative value, breaking the monotonically-
> increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
> related helpers.
> 
> Fix this by validating lowest_vcn and using check_add_overflow()
> for vcn accumulation.
> 
> Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>

The recipient is wrong.
Anyway looks good to me.

Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>

> ---
> v3:
>  - Use overflows_type() for lowest_vcn validation (Hyunchul)
> v2:
>  - Validate lowest_vcn from on-disk metadata
>  - Use check_add_overflow() for vcn accumulation
> ---
>  fs/ntfs/runlist.c | 24 +++++++++++++++++++++---
>  1 file changed, 21 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
> index b213b4976d2b..be6ca3d374bb 100644
> --- a/fs/ntfs/runlist.c
> +++ b/fs/ntfs/runlist.c
> @@ -15,6 +15,8 @@
>   * Copyright (c) 2007-2022 Jean-Pierre Andre
>   */
>  
> +#include <linux/overflow.h>
> +
>  #include "ntfs.h"
>  #include "attrib.h"
>  
> @@ -739,6 +741,7 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
>  	int rlsize;		/* Size of runlist buffer. */
>  	u16 rlpos;		/* Current runlist position in units of struct runlist_elements. */
>  	u8 b;			/* Current byte offset in buf. */
> +	u64 lowest_vcn;		/* Raw on-disk lowest_vcn. */
>  
>  #ifdef DEBUG
>  	/* Make sure attr exists and is non-resident. */
> @@ -747,8 +750,14 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
>  		return ERR_PTR(-EINVAL);
>  	}
>  #endif
> +	lowest_vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
> +	/* Validate lowest_vcn from on-disk metadata to ensure it is sane. */
> +	if (overflows_type(lowest_vcn, vcn)) {
> +		ntfs_error(vol->sb, "Invalid lowest_vcn in mapping pairs.");
> +		goto err_out;
> +	}
>  	/* Start at vcn = lowest_vcn and lcn 0. */
> -	vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
> +	vcn = lowest_vcn;
>  	lcn = 0;
>  	/* Get start of the mapping pairs array. */
>  	buf = (u8 *)attr +
> @@ -823,8 +832,17 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
>  		 * element.
>  		 */
>  		rl[rlpos].length = deltaxcn;
> -		/* Increment the current vcn by the current run length. */
> -		vcn += deltaxcn;
> +		/*
> +		 * Increment the current vcn by the current run length.
> +		 * Guard against s64 overflow from a crafted mapping
> +		 * pairs array to preserve the monotonically-increasing
> +		 * vcn invariant.
> +		 */
> +		if (unlikely(check_add_overflow(vcn, deltaxcn, &vcn))) {
> +			ntfs_error(vol->sb, "VCN overflow in mapping pairs array.");
> +			goto err_out;
> +		}
> +
>  		/*
>  		 * There might be no lcn change at all, as is the case for
>  		 * sparse clusters on NTFS 3.0+, in which case we set the lcn
> -- 
> 2.43.0
> 
> 

-- 
Thanks,
Hyunchul